A similar court skirmish last year scuttled the Safe Harbor agreement between the U.S. and the European Commission, and according to Fortune, the Privacy Shield deal that replaced Safe Harbor is stricter, but there are loopholes.

Facebook and other companies are using a mechanism referred to as “standard contractual clauses”—also known as “model clauses” or “model contracts”—to continue transferring data from European users to the U.S., and the DPC in Ireland is exploring the legality of these arrangements, Fortune reported.

According to Fortune, Schrems told the DPC in his complaint that these standard contractual clauses do not offer an adequate way for European citizens to complain if a U.S. agency accesses their data, and he said in a statement, as reported by Fortune:

All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the U.S. does not substantially change its laws, I don’t see (how) there could be a solution.

The DPC said in a statement, as reported by Fortune:

We continue to thoroughly and diligently investigate Mr. Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr. Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the (European Court of Justice) to determine the legal status of data transfers under standard contractual clauses. We will update all relevant parties as our investigation continues.

Fortune also shared the following statement from Facebook:

Thousands of companies transfer data across borders to serve their customers and users. While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish (DPC) in its investigation. Standard contract clauses remain valid, and Facebook has other legal methods in place to transfer data between countries.